AAA Operation

To enable AAA on the router, go to configuration mode and simply enter

 Router(config)#aaa new-model 

Specify the protocol and location of the AAA server with one of the following lines:

 tacacs-server host ip-address [single-connection] radius-server host ip-address 

The host ip-address specifies the IP address of the AAA TACACS or RADIUS server, and the single-connection option only available with TACACS specifies that the router maintain a single open connection for confirmation from an AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). The single-connection option does give better performance, but it is not the default.

The last command to get AAA up and running configures the shared password between the router and the AAA server. The passwords are case-sensitive:

 tacacs-server key key radius-server key key 

A complete example looks something like this:

 Router(config)#aaa new-model Router(config)#tacacs-server host 192.168.1.100 single-connection Router(config)#tacacs-server key MyPassWord 

AAA Authentication Commands

aaa authentication login specifies that you want to use authentication. You need to give the authentication parameters a list name, either default or some other name you define:

[View full width]
 aaa authentication login {default | list-name} group {group-name | radius | tacacs+}  [method 2...3...4] 

Using the name default means its settings are applied to all lines (console, VTY, TTY, and so on) and interfaces (async, serial, Ethernet, and so on) unless you define and use another name. A unique list name overrides the default and its settings when applied to a specific line or interface.

The group parameter has three options: a group-name, radius, or tacacs+. If you use either tacacs+ or radius, the router uses all those types of servers that you configured using the tacacs/radius-server host ip-address command, or you can build a custom group and call it with its group name. The other methods are used if the method before it has an error. One other method of special note is none with the option that if all others fail, you are authenticated. All the different authentication methods appear in Table 3.1.

Here is a working example of two different authentication settings:

 Router(config)#aaa authentication login default group tacacs+ local Router(config)#aaa authentication login fallback group tacacs+ enable Router(config)#line vty 0 4 Router(config-line)#login authentication fallback 

The first command builds the default list. It tries to authenticate to all TACACS servers configured, and if it receives no response, it uses the next configured setting for authentication in this example, the local username database.

The second command creates a list called fallback. It checks the TACACS servers, and if it receives no response, it uses the enable password.

The third and fourth commands apply the fallback list to the five VTY lines, 0 through 4.

A trick question here is to ask what authentication settings are in use for Line Console 0; the answer is the default list. Remember that once a default list is built, it applies to all interfaces and lines unless overridden by an explicit assignment as you saw on the VTY ports.

Another feature worth pointing out is that when you turn on authentication using the default group, it is applied to all interfaces. You will find yourself locked out of the router if you have not finished setting up your authentication sources and you log out or your session times out.

AAA Authorization Commands

Once a user is authenticated, you can set parameters that restrict the user's access on the network using the aaa authorization command. The authorization commands have the same look and feel as the authentication command:

[View full width]
 aaa authorization {network | exec | commands level | reverse-access} {default | list-name}  [method 2...3...4] 

Table 3.2 lists the four areas of control where you can grant specific authorization.

Remember that default and list-name are simply the identifiers for the AAA parameters. You use default, or specify other non-default parameters by using list-name. There are a number of ways in which a user can be authenticated; Table 3.3 lists the options for the AAA authorization command.

For authorization, let's take a look at two different examples: one for character mode and the other for packet mode. Remember, in character mode, you are usually securing the router itself:

 Router(config)#aaa authorization exec default group tacacs+ none 

In this example, a user must be authorized by a TACACS+ server before he can gain access to an EXEC shell or prompt. If the TACACS+ servers are unreachable, then the user is automatically granted access because of the none option at the end. This method is used mainly for administrators who still have physical access to the device.

Let's examine a packet-level example:

 Router(config)#aaa authorization network checkem group tacacs+ if-authenticated Router(config)#int serial 0 Router(config-if)#ppp authorization checkem 

The first command determines whether a user is allowed to make a packet-level connection. It built a list called checkem that looks to the TACACS+ servers first; if the servers are down, it allows access if the user has been authenticated. The last command applies the checkem list to PPP services on Serial 0.

AAA Accounting Commands

Accounting allows you to track individual and group usage of network resources. When AAA accounting is activated, the router logs user activity to the TACACS+ or RADIUS server. You can then analyze this data for network management, client billing, security, or auditing. The accounting command looks like this:

[View full width]
 aaa accounting {system | network | exec | connection | commands level} {default |  list-name} {start-stop | wait-start | stop-only | none} [method 2...3...4] 

The aaa accounting command is unlike the authorization and authentication commands that have two halves. Accounting has three parts: what service or services you want to audit (see Table 3.4), which events trigger it, and where to send the information.

Remember that default and list-name are simply the identifiers for the AAA parameters. You use default, or specify other non-default parameters by using list-name. Also worth mentioning is that the aaa accounting system command is the only command that doesn't apply to packet or character mode. The different events that you can use for accounting appear in Table 3.5.

Then, the accounting command indicates for which server groups the information is recorded and logged. Table 3.6 lists accounting methods for server groups.

Let's look at an example of the aaa accounting command. Here we use the command twice to set up accounting for two different events:

 Router(config)#aaa accounting connection default start-stop group tacacs+ Router(config)#aaa accounting commands 15 default start-stop group tacacs+ 

The first command monitors any Telnet, rlogin, or other outbound connections, such as when they start and stop, and logs the information to the AAA servers configured under TACACS+.

The second command turns on accounting for privilege Level 15 commands, which is enable mode, and logs their use to the TACACS servers. You can also use Level 1 for user mode access.